1 Answer
1

It's likely that PCI-DSS doesn't really apply to you. Most e-commerce sites outsource their payment to a payment processing company, e.g. PayPal or Google Checkout. This means that you never store financial information about your customers.

But, if you want to do it yourself, and you'll be directly storing and accepting card payments, then you should read the PCI-DSS guidelines and understand fully what's required before going ahead. PCI-DSS isn't just a certification - it becomes part of the contract you have with the bank that accepts your funds.

If you're not experienced in security, you'll need to get training. Same goes for any developers you hire. You may also be legally required to follow certain government laws related to data storage (e.g. Data Protection Act in the UK), which will require further study. You might need to consult a lawyer.

Once your system design is complete, it's worth paying a security consultant to identify any security problems that you might face. From there, you can move to implementation. You'll need to follow strict code security guidelines, as well as take careful consideration in chosing your hardware and hosting platforms. You may need to invest in a HSM or a similar system to store credit card details, depending on applicable laws and regulations. Once you've completed the development, you'll need a security review by a company certified to provide PCI-DSS compliance tests. These tests usually involve normal penetration testing, as well as checking for complaince in all areas of the standard.

Once that's all done, you're (probably) PCI-DSS compliant. Your bank may ask you to perform periodic re-testing of your site.

All in all, it's not cheap or easy to comply to PCI-DSS. It may be wiser to let the payment processing companies handle this burden, and focus on making a better online experience for your customers.